Skip to content

Help webview extensions add a Content Security Policy #79340

@mjbvz

Description

@mjbvz

Many webview extensions do not currently set a content security policy. All webviews (even very simple ones) should set a content security policy. This is not a immediate security problem but a content security policy helps to limit the potential impact of content injections and is generally a good measure for defense in depth.

I've put together this initial list of extensions that create webviews that seem not to have a content security policy (there may be false positives). If you are feeling like a security hero, consider helping these extensions out by submitting a PR that adds a restrictive content security policy to their webviews. Here's our documentation to help you get started.

Let me know if an extension has been fixed or was incorrectly flagged


Key

  • ❗️- Confirmed and issue opened
  • ✔️ - Fixed
  • ❓ - Can't confirm in current code in github master?
  • Blank - Unconfirmed

Extensions

Metadata

Metadata

Assignees

Labels

good first issueIssues identified as good for first-time contributorshelp wantedIssues identified as good community contribution opportunitieswebviewWebview issues

Type

No type

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions